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1. Introduction 


Salesforce, Inc. and its affiliates are committed to achieving and maintaining customer trust. Integral to 
this mission is providing a robust security and privacy program that carefully considers data protection 
matters. 


In accordance with the General Data Protection Regulation and, as applicable, the Swiss Data Protection 
Laws and Regulations, the Salesforce Processor BCR (as defined below) is intended to provide an 
adequate level of protection for Personal Data during international transfers within the Salesforce Group 
made on behalf of Customers and under their instructions.’ 


2. Definitions 


e Controller means the entity which determines the purposes and the means of the processing of 
Personal Data. 


e Customer(s) means (i) a legal entity with whom a member of the Salesforce Group has executed a 
contract to provide the Services (or a legal entity placing an order under such contract) and such 
contract incorporates by reference the Salesforce Processor BCR or (ii) a legal entity with whom a 
member of the Salesforce Group has executed a contract under which the legal entity is entitled to 
resell the Services to its end customers and such contract incorporates by reference the Salesforce 
Processor BCR. 


e Data Subject means the identified or identifiable person to whom Personal Data relates. 


e General Data Protection Regulation or GDPR means European Regulation 2016/679 of the 
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with 
regard to the processing of personal data and on the free movement of such data and repealing 
European Directive 95/46/EC. 


e Personal Data means any information relating to (i) an identified or identifiable natural person; and 
(ii) an identified or identifiable legal entity (where such information is protected similarly as personal 
data or personally identifiable information under Swiss Data Protection Laws and Regulations). 


e Processor means the entity which processes Personal Data on behalf of the Controller. 


e Salesforce Group means Salesforce, Inc. and its affiliate Sub-processors of Personal Data, listed as a 
‘Salesforce Affiliate’ in the Infrastructure and Sub-processor documentation for each Service covered 
by the Salesforce Processor BCR, available here. 


' For clarity, a Customer (as defined in Section 2) may be a Controller or a Processor of Personal Data. Where a 
Customer is a Processor of Personal Data, the Salesforce Group shall process Personal Data as Sub-processors on 
behalf of the Controller. Instructions from the Controller regarding the processing Personal Data shall be given 
through the Processor. 
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e Salesforce Processor BCR means Salesforce’s Processor Binding Corporate Rules for the Processing 
of Personal Data, the most current version of which is available on Salesforce Group’s website, 
currently located here. 


e Services means the online services provided to Customer by the Salesforce Group, as listed in 
Appendix A. 


e Sub-processor means any Processor engaged by a member of the Salesforce Group. 


e Supervisory Authority means an independent public authority which is established by an EU 
member state pursuant to Article 51 of the GDPR, and/or, as applicable, the Swiss data protection 
authority established under the Swiss Data Protection Laws and Regulations. 


e Swiss Data Protection Laws and Regulations means the Swiss Federal Data Protection Act 1992 
and its successor laws. 


3. Scope and Application 


The purpose of the Salesforce Processor BCR is to govern international transfers of Personal Data to and 
between members of the Salesforce Group, and to third-party Sub-processors (in accordance with written 
agreements with any such third-party Sub-processors) when acting as Processors and/or Sub-processors 
on behalf and under the documented instructions of Customers. 


The Salesforce Processor BCR applies to Personal Data submitted to the Services by: 


e Customers established in an EEA member state or Switzerland whose processing activities for the 
relevant data are governed by the GDPR or, as applicable, by the Swiss Data Protection Laws and 
Regulations; or 


e Customers established in non-EEA member states for which the customer has contractually 
specified that the GDPR and implementing national legislation shall apply. 


The Salesforce Group may update the Salesforce Processor BCR with approval from the Salesforce 
Group’s appointed privacy leader, general counsel and compliance officer. All changes to the Salesforce 
Processor BCR shall be communicated to members of the Salesforce Group. 


The Salesforce Group’s appointed privacy leader shall be responsible for keeping a fully updated list of 
the members of the Salesforce Group and third-party Sub-processors and making appropriate notifications 
to Customers and the French data protection authority (“CNIL’”) in its capacity as competent Supervisory 
Authority for the Salesforce Processor BCR. The Salesforce Group shall not transfer Personal Data to a 
new member of the Salesforce Group until such member is appropriately bound by and complies with the 
Salesforce Processor BCR. 


The Salesforce Group shall make the most current version of the Salesforce Processor BCR, including the 
members of the Salesforce Group, available here. Significant changes to the Salesforce Processor BCR 
and/or the list of members of the Salesforce Group will be reported (a) in a timely fashion to Customers 
and (b) once per year to the relevant Supervisory Authorities via the CNIL in its capacity as competent 
Supervisory Authority for the Salesforce Processor BCR accompanied by a brief explanation of the 
changes. 
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When the changes to the Salesforce Processor BCR affect the processing conditions, the Salesforce Group 
shall inform the Customer in such a timely fashion that Customer has the possibility to object to the 
change or to terminate the contract before the modification is made. 


The categories of Personal Data, the types of processing and its purposes, the types of Data Subjects 
affected and the identification of the recipients in the third countries are set out in Section 5 below. 


It shall be the responsibility of a Customer to apply the Salesforce Processor BCR to: 
- All Personal Data processed for processor activities and that are submitted to EU and, as 
applicable, Swiss law; or 
- All processing of Personal Data for processor activities within the Salesforce Group whatever 
the origin of the data. 


4. Responsibilities Towards Customers 


A. General Obligations 


The Salesforce Group and its employees shall comply with the Salesforce Processor BCR, process 
Personal Data only upon a Customer’s documented instruction and shall have a duty to respect 
Customer’s instructions regarding the data processing and the security and confidentiality of Personal 
Data, pursuant to the measures provided in the contracts executed with Customers. 


The Salesforce Group shall immediately inform the Customer if in its opinion an instruction infringes the 
GDPR or other EU or EU member state law or, as applicable, Swiss data protection provisions. 


B. Transparency, Fairness, Lawfulness and Cooperation with Customers 


The Salesforce Group undertakes to be transparent regarding its Personal Data processing activities and to 
provide Customers with reasonable cooperation and assistance within a reasonable period of time to help 
facilitate their respective data protection obligations regarding Personal Data, to the extent Customer, in 
its use of the Services, does not have the reasonable ability to address such obligations. 


C. Data Subject Rights 


Members of the Salesforce Group act as Processors on behalf of Customers. As between the Salesforce 
Group and Customers, Customers have the primary responsibility for interacting with Data Subjects, and 
the role of the Salesforce Group is generally limited to assisting Customers as needed. 


i. Data Subject Requests 


The Salesforce Group shall promptly notify Customer if the Salesforce Group receives a request from a 
Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of processing, 
erasure (“right to be forgotten”), data portability, object to the processing, or its right not to be subject to 
an automated individual decision making (“Data Subject Request”). Taking into account the nature of the 
processing, the Salesforce Group shall assist Customer by appropriate technical and organizational 
measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data 
Subject Request under the GDPR or, as applicable, an equivalent obligation under Swiss Data Protection 
Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the 
ability to address a Data Subject Request, the Salesforce Group shall upon Customer’s request provide 
commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the 
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extent the response to such Data Subject Request is required under the GDPR or, as applicable, an 
equivalent obligation under Swiss Data Protection Laws and Regulations. To the extent legally permitted, 
Customer shall be responsible for any costs arising from the Salesforce Group’s provision of such 
assistance. 


ii. Handling of Complaints 


The Salesforce Group’s Privacy department shall be responsible for handling complaints related to 
compliance with the Salesforce Processor BCR. 


Data Subjects may lodge a complaint about processing of their respective Personal Data that is 
incompatible with the Salesforce Processor BCR by contacting the relevant Customer or the Salesforce 
Group’s Privacy department at the email address privacy@salesforce.com. The Salesforce Group shall 
without undue delay communicate the complaint to the Customer to whom the Personal Data relates 
without obligation to handle it (except if it has been agreed otherwise with Customer). 


Customers shall be responsible for responding to all Data Subject complaints forwarded by the Salesforce 
Group except in cases where a Customer has disappeared factually or has ceased to exist in law or 
become insolvent. Where the Salesforce Group is aware of such a case, it undertakes to respond directly 
to Data Subjects’ complaints within one (1) month, including the consequences of the complaint and 
further actions Data Subjects may take if they are unsatisfied by the reply (such as lodging a complaint 
before the relevant Supervisory Authority). Taking into account the complexity and number of requests, 
this period of one (1) month can be extended by two (2) further months in which case the Salesforce 
Group will inform the Data Subjects accordingly. 


D. Regulatory Inquiries and Complaints 


The Salesforce Group shall, to the extent legally permitted, promptly notify a Customer if the Salesforce 
Group receives an inquiry or complaint from a Supervisory Authority in which that Customer is 
specifically named. Upon a Customer’s request, the Salesforce Group shall provide the Customer with 
cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation 
to any regulatory inquiry or complaint involving the Salesforce Group’s processing of Personal Data. 


E. Data Protection Impact Assessments 


Upon Customer’s request, the Salesforce Group shall provide Customer with reasonable cooperation and 
assistance needed to fulfil Customer’s obligation under the GDPR (or, as applicable, under the Swiss Data 
Protection Laws and Regulations) to carry out a data protection impact assessment related to Customer’s 
use of the Services, to the extent Customer does not otherwise have access to the relevant information, 
and to the extent such information is available to the Salesforce Group. The Salesforce Group shall 
provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory 
Authority in the performance of its tasks relating to this Section 4 E. of the Salesforce Processor BCR to 
the extent required under the GDPR (or, as applicable, under the Swiss Data Protection Laws and 
Regulations). 


F. Records of Processing Activities 


As required by data protection laws and regulations, the Salesforce Group shall maintain a record of all 
categories of processing activities carried out on behalf of each Customer. 
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5. Description of Processing Operations and Transfers 


A. Purpose Limitation 


The Salesforce Group shall only process Personal Data on behalf of and in accordance with Customer’s 
documented instructions for the following purposes: (i) processing in accordance with a Customer’s 
instructions set forth in the Customer’s contract with a member of the Salesforce Group including with 
regard to transfers of personal data to a third country (unless the Salesforce Group is legally required to 
do so by EU or EU member state law, or, as applicable, Swiss law, in which case prior information will be 
provided by the Salesforce Group to Customer unless such information is legally prohibited); and (ii) 
processing initiated by the Customer in its use of the Services. If the Salesforce Group cannot comply 
with such purpose limitation, a member of the Salesforce Group shall promptly notify the relevant 
Customer, and such Customer shall be entitled to suspend the transfer of Personal Data and/or terminate 
the applicable order form(s) in respect to only those Services which cannot be provided by the Salesforce 
Group in accordance with such Customer’s instructions. On the termination of the provision of such 
Services, the Salesforce Group and third-party Sub-processors shall, at the choice of the Customer, return 
the Personal Data to the Customer and/or delete the Personal Data as set forth in the applicable customer 
contract and upon request from Customer, the Salesforce Group shall certify that it has done so. The only 
exception to this is if the law applicable to the Salesforce Group and its third-party Sub-processors 
requires the Salesforce Group and its third-party Sub-processors to retain the data that has been 
transferred in which case the Salesforce Group will inform the Customer and warrant that it will 
guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal 
Data transferred anymore. 


B. Nature of Personal Data Processed 


The Salesforce Processor BCR will apply to Personal Data submitted by Customers to the Services. The 
Salesforce Group’s Customers determine what Personal Data, if any, is submitted to the Services under 
the conditions set out in the contract. 


The following types of Personal Data are oftentimes submitted to the Services. 


First and last name 

Title 

Position 

Employer 

Contact information (company, email, phone, physical business address) 
ID data 

Professional life data 

Personal life data 

Location data 


These types of Personal Data oftentimes relate to the following categories of data subjects: 


e Prospects, customers, business partners and vendors of Customer (who are natural 
persons) 

e Employees or contact persons of Customer’s prospects, customers, business partners and 
vendors 

e Employees, agents, advisors, freelancers of Customer (who are natural persons) 

e Customer’s users authorized by Customer to use the Services 
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Customers are allowed to submit sensitive personal data or special categories of Personal Data to some 
Services under the conditions set out in the contract. 


C. Affected Data Subjects 


The Salesforce Group does not choose or determine the categories of Data Subjects that relate to the 
Personal Data submitted to the Services. The Salesforce Group’s Customers solely determine the Data 
Subjects whose Personal Data is submitted to the Services. 


D. Countries of location of the Salesforce Group Affiliate Sub-processors 


The countries where the Salesforce affiliate Sub-processors of Personal Data are located are listed in the 
Infrastructure and Sub-processor documentation for each Service covered by the Salesforce Processor 
BCR, available here. 


E. Data Quality 


Customers have access to, and control of, Personal Data in their use of the Services. To the extent a 
Customer, in its use of the Services, does not have the ability to anonymize, correct, amend, update or 
delete Personal Data, as required by applicable laws, the Salesforce Group shall comply with any request 
by a Customer in a reasonable period of time and to the extent reasonably possible to facilitate such 
actions by executing any measures necessary to comply with the law, in a reasonable period of time and to 
the extent reasonably possible to the extent the Salesforce Group is legally permitted to do so. The 
Salesforce Group will, to the extent reasonably required for this purpose, inform each member of the 
Salesforce Group to whom the Personal Data may be stored of any anonymization, rectification, 
amendment, update or deletion of such data. If any such anonymization, correction, amendment, update 
or deletion request is applicable to a third-party Sub-processor’s processing of Personal Data, the 
Salesforce Group shall communicate such request to the applicable third-party Sub-processor(s). 


F. Sub-processing 


i. Sub-processing Within the Salesforce Group 


As set forth in applicable contracts with Customers, members of the Salesforce Group may be retained as 
Sub-processors of Personal Data, and depending on the location of the Salesforce Group member, 
processing of Personal Data by such Sub-processors may involve transfers of Personal Data. The 
Salesforce Processor BCR extends to all members of the Salesforce Group. The Salesforce Processor 
BCR is incorporated by reference into the Salesforce Group’s code of conduct which is available here. 


ii. Sub-processing by Third Parties 


As set forth in applicable contracts with Customers, members of the Salesforce Group may retain 
third-party Sub-processors, and depending on the location of the third-party Sub-processor, processing of 
Personal Data by such Sub-processors may involve transfers of Personal Data. Such third-party 
Sub-processors shall process Personal Data only: (i) in accordance with the Customer’s instructions set 
forth in the Customer’s contract with a member of the Salesforce Group; or (ii) if processing is initiated 
by the Customer in its use of the Services. The current list of third-party Sub-processors engaged in 
processing Personal Data, including a description of their processing activities, is available in the 
Infrastructure and Sub-processor documentation for each Service covered by the Salesforce Processor 
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BCR, available here. Such third-party Sub-processors have entered into written agreements with a 
member of the Salesforce Group in accordance with the applicable requirements of Articles 28, 29, 32, 
45, 46 and 47 of the GDPR, or, as applicable, corresponding provisions of the Swiss Data Protection 
Laws and Regulations, as well as the relevant sections of the Salesforce Processor BCR as applicable to 
the third-party Sub-processor’s processing activities. 


iii. Notification of New Sub-processors and Objection Rights 


As set forth in applicable contracts with Customers, the Salesforce Group shall provide Customers with 
prior notification before a new Sub-processor begins processing Personal Data. Within thirty (30) days of 
receiving such notice, a Customer may object to Salesforce Group’s use of a new Sub-processor by 
notifying the Salesforce Group in accordance with the provisions set forth in the Customer’s contract. In 
the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, the Salesforce 
Group will use reasonable efforts to make available to Customer a change in the Services or recommend a 
commercially reasonable change to Customer’s configuration or use of the Services to avoid processing 
of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If 
the Salesforce Group is unable to make available such change within a reasonable period of time, which 
shall not exceed sixty (60) days, Customer may terminate the applicable order form(s) with respect only 
to those Services which cannot be provided by the Salesforce Group without the use of the objected-to 
new Sub-processor by providing written notice to the Salesforce Group. The Salesforce Group will refund 
Customer any prepaid fees covering the remainder of the term of such order form(s) following the 
effective date of termination with respect to such terminated Services, without imposing a penalty for 
such termination on Customer. 


6. Confidentiality and Security Measures 


A. Confidentiality and Training 


The Salesforce Group shall ensure that its personnel engaged in the processing of Personal Data are 
informed of the confidential nature of the Personal Data, have executed written confidentiality agreements 
and have received appropriate training on their responsibilities. Additionally, the Salesforce Group shall 
ensure that its personnel responsible for the development of the tools used to process Personal Data have 
received appropriate training on their responsibilities. The Salesforce Group shall also ensure that its 
personnel engaged in the processing of Personal Data are limited to those personnel who require such 
access to perform the Salesforce Group’s obligations under applicable contracts with Customers. 


B. Data Security 


The Salesforce Group shall maintain appropriate administrative, technical and physical measures for 
protection of the security (including protection against unauthorized or unlawful processing and against 
accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, 
Personal Data), confidentiality and integrity of Personal Data, as set forth in applicable contracts with 
Customers. The Salesforce Group shall implement technical and organizational measures which at least 
meet the requirements of the GDPR or, as applicable, Swiss Data Protection Laws and Regulations and 
any existing particular measure specified in the contract with the Customer. The Salesforce Group 
regularly monitors compliance with these measures. The Salesforce Group will not materially decrease 
the overall security of the Services during a Customer’s applicable subscription term. 
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C. Personal Data Incident Management and Notification 


In the event a member of the Salesforce Group becomes aware of the accidental or unlawful destruction, 
loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise 
processed by the Salesforce Group or its Sub-processors (a “Personal Data Incident”) the Salesforce 
Group will without undue delay after becoming aware notify affected Customers. The Salesforce Group 
shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as 
the Salesforce Group deems necessary and reasonable in order to remediate the cause of such a Personal 
Data Incident to the extent the remediation is within the Salesforce Group’s reasonable control. The 
obligations herein shall not apply to incidents that are caused by Customer or Customer’s users. 


D. Audits 


The Salesforce Group shall maintain an audit program to help ensure compliance with the Salesforce 
Processor BCR, including the following third-party audits and certifications, internal verification and 
audits by Customers. The audit program covers all aspects of the Salesforce Processor BCR, including 
methods for ensuring non-compliance is addressed. 


i. Third-Party Audits and Certifications 


The Security, Privacy and Architecture Documentation, available here describes the third-party audits and 
certifications applicable to each Service. The scope of these third-party audits and certifications is set 
forth in the corresponding audit reports and certificates which the Salesforce Group shall make available 
to its Customers upon request. Where the Salesforce Group has obtained the following third-party audits 
and certifications, the Salesforce Group agrees to maintain these, or their successors. 


e ISO 27001 certification: The Salesforce Group is subject to an information security 
management system (ISMS) in accordance with the ISO 27001 international standard. Members 
of the Salesforce Group have achieved ISO 27001 certification for their ISMS from an 
independent third party. 


e SSAE 18 Service Organization Control (SOC) reports: The Salesforce Group’s information 
security control environment applicable to the Services undergoes an independent evaluation in 
the form of SSAE 18 Service Organization Control (SOC) reports, which are available to 
Customers upon request. 


ii. Network of Privacy Personnel and Internal Verification 


The Salesforce Group has appointed a network of privacy personnel responsible for overseeing and 
ensuring compliance with the Salesforce Group’s data protection responsibilities at a local and global 
level, including compliance with this Salesforce Processor BCR, advising management on data protection 
matters, liaising with data protection authorities, and handling data protection-related complaints. Each 
member of the Salesforce Group shall be assigned such a member of network of privacy personnel. Such 
privacy personnel are primarily responsible for privacy-related matters and report to the Salesforce 
Group’s appointed privacy leader (who reports to the Salesforce Group’s general counsel) and benefit 
from the support of the Salesforce Group’s senior management. The Salesforce Group’s appointed privacy 
leader is responsible for the Salesforce Group’s compliance with applicable privacy and data protection 
laws and leads the Salesforce Group’s network of privacy personnel. The Salesforce Group’s network of 
privacy personnel have regional responsibility for the Salesforce Group’s compliance with applicable 
privacy and data protection laws. 


Page 11 


Salesforce Processor BCR 


The Salesforce Group’s compliance department shall conduct an annual assessment of the Salesforce 
Group’s compliance with the Salesforce Processor BCR, which is provided to the Salesforce Group’s 
appointed privacy leader, compliance officer and Salesforce, Inc.’s board of directors. Such an assessment 
shall include any necessary corrective actions, timeframes for completing such corrective actions, and 
follow up by Salesforce’s compliance department to ensure such corrective actions have been completed. 


The Supervisory Authority competent for the Customer may upon request have access to the results of 
such annual assessment and may carry out a data protection audit of any member of the Salesforce Group, 
if required. 


iii. Customer Audits 


Upon a Customer’s written request, and subject to appropriate confidentiality obligations, the Salesforce 
Group shall make available to the Customer (or such Customer’s independent, third-party auditor that is 
not a competitor of the Salesforce Group) information regarding the Salesforce Group’s and third-party 

Sub-processors’ compliance with the data protection controls set forth in this Salesforce Processor BCR. 


With respect to the Salesforce Group’s compliance with the data protection controls set forth in the 
Salesforce Processor BCR, the Salesforce Group shall make available third-party certifications and audits 
set forth in the contract to the extent Salesforce makes them generally available to its customers. 


With respect to third-party Sub-processors’ compliance with the data protection controls set forth in the 
Salesforce Processor BCR, the Salesforce Group shall provide the requesting Customer a report of the 
Salesforce Group’s audits of third-party Sub-processors and/or a report of third party auditors’ audits of 
third-party Sub-processors that will have been provided by those third-party Sub-processors to the 
Salesforce Group. 


Customer acknowledges and agrees to exercise its audit right by hereby instructing the Salesforce Group 
and the Salesforce Group’s third party Sub-processors to carry out the audit as described in this Section 
6.D (iii). 


Customer has the right to change at any moment its instruction regarding the exercise of its audit right by 
sending the relevant member of the Salesforce Group a notice in writing. 


If Customer changes its instruction and thereby requests to exercise its audit right directly, Customer shall 
reimburse the Salesforce Group for any time expended by the Salesforce Group or its third-party 
Sub-processors for any on-site audit carried out by the Customer. Before any such on-site audit 
commences, the requesting Customer and the Salesforce Group or its third party Sub-processors as 
appropriate shall mutually agree upon the scope, timing, and duration of the audit in addition to the 
reimbursement rate for which the Customer shall be responsible. All reimbursement rates shall be 
reasonable, taking into account the resources expended by the Salesforce Group or its third-party 
Sub-processors. 


As set forth in applicable contracts with Customers, a Customer who performs an audit in accordance 
with this Section must promptly provide the Salesforce Group with information regarding any 


non-compliance discovered during the course of an audit. 


Nothing in this Section affects any Supervisory Authority’s or Data Subject’s rights under the Salesforce 
Processor BCR. 
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7. Third-Party Beneficiary Rights 


A. Rights directly enforceable against the Salesforce Group 


Data Subjects may directly enforce the following elements of the Salesforce Processor BCR against the 
Salesforce Group as third party beneficiaries: 


a. Duty to respect the instructions from the Customer acting as Controller regarding the 
Data Processing including for data transfers to third countries located outside the EEA; 

b. Duty to implement appropriate technical and organizational security measures and duty to 
notify any security breach to the Customer acting as Controller; 

c. Duty to respect the conditions when engaging a Sub-processor either within or outside the 
Salesforce Group; 

d. Duty to cooperate with and assist the Customer acting as Controller in complying and 

demonstrating compliance with the law such as for answering requests from Data 

Subjects in relation to their rights; 

Provide an easy access to the Salesforce Processor BCR; 

Right to complain through internal complaint mechanisms; 

Duty to cooperate with the Supervisory Authority; 

Liability, compensation and jurisdiction provisions; and 

National legislation preventing respect of the Salesforce Processor BCR. 


= > > Oo 


B. Rights enforceable against the Salesforce Group where the Data Subject is not able to bring a 
claim against the Customer acting as Controller 


Data Subjects may directly enforce against the Salesforce Group the following elements of the Salesforce 
Processor BCR as third-party beneficiaries in those limited situations where a Data Subject is unable to 
bring a claim against the relevant Customer because such Customer has factually disappeared or ceased to 
exist in law or become insolvent unless a successor entity has been appointed to assume the legal 
obligations of the Customer by contract or by operation of law: 


- Duty to respect the Salesforce Processor BCR; 

- Creation of third party beneficiary rights for Data Subjects; 

- Liability of salesforce.com France S.A.S for paying compensation and to remedy breaches to the 
Salesforce Processor BCR; 

- Burden of proof on salesforce.com France S.A.S to demonstrate that the member of the 
Salesforce Group outside of the EU or the external Sub-processor is not liable for any violation of 
the rules which has resulted in the Data Subject claiming damages; 

- Easy access for the Data Subjects to access the Salesforce Processor BCR and in particular 
information about their third party beneficiary rights and on the means to exercise those rights; 

- Existence of a complaint handling process for the Salesforce Processor BCR; 

- Duty for the Salesforce Group to cooperate with the Supervisory Authorities; 

- Duty for the Salesforce Group to cooperate with the Controller; 

- Description of the privacy principles; 

- List of entities bound by the Salesforce Processor BCR; and 

- Transparency requirement where national legislation prevents the Salesforce Group from 
complying with the Salesforce Processor BCR. 
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C. Modalities 


The Data Subjects’ rights as mentioned under sections A and B above shall cover the judicial remedies for 
any breach of the third party beneficiary rights guaranteed and the right to obtain redress and where 
appropriate, receive compensation for any damage. 


In particular, Data Subjects shall be entitled to lodge a complaint before: 

- the competent Supervisory Authority (with a choice for the Data Subject to choose between the 
Supervisory Authority of the EU Member State of his/her habitual residence, place of work or place of 
alleged infringement, or, if the Data Subject is based in Switzerland, the Swiss Federal Data Protection 
and Information Commissioner; and 

- the competent court of the EU Member State (with a choice for the Data Subject to act before the courts 
where the Customer or the Salesforce Group has an establishment or where the Data Subject has his or 
her habitual residence, or, if the Data Subject is based in Switzerland, the competent Swiss court. 


Where the Salesforce Group and the Customer involved in the same processing are found responsible for 
any damage caused by such processing, the Data Subject shall be entitled to receive compensation for the 
entire damage directly from the Salesforce Group. 


The Salesforce Processor BCR are made available to Data Subjects here. 


8. Liability and Enforcement 
Salesforce’s contracts with Customers shall include a reference to the Salesforce Processor BCR and the 


Salesforce Processor BCR shall form part of those contracts. These contracts shall comply with Article 28 
of the GDPR. 


In accordance with such contracts, Customers shall have the right to enforce the Salesforce Processor 
BCR against any member of the Salesforce Group, for breaches they caused including judicial remedies 
and the right to receive compensation. Moreover, Customers shall have the right to enforce the Salesforce 
Processor BCR against salesforce.com France S.A.S. in case of: (i) a breach of the Salesforce Processor 
BCR or of the contract by members of the Salesforce Group established outside of the EU; or (ii) a breach 
by external Sub-processors established outside the EU of their sub-processing agreement with the 
Salesforce Group. 


salesforce.com France S.A.S accepts responsibility for and agrees to take the necessary actions to remedy 
the acts of other members of the Salesforce Group established outside of the EU and third-party 
Sub-processors for breaches of the Salesforce Processor BCR or breaches caused by third-party 
Sub-processors established outside the EU and to pay compensation for any damages resulting from a 
violation of the Salesforce Processor BCR. 


salesforce.com France S.A.S accepts liability as if the violation had taken place by salesforce France 
S.A.S in France instead of the member of the Salesforce Group outside of the EU or the third party 
Sub-processor established outside the EU. Salesforce France S.A.S may not rely on a breach by a 
Sub-processor (internal or external to the Salesforce Group) of its obligations in order to avoid its own 
liabilities. 

With regard to Data Subjects, salesforce.com France S.A.S has the burden of proof to demonstrate that the 


member of the Salesforce Group outside of the EU or the third party Sub-processor is not liable for any 
violation of the rules which has resulted in the Data Subject claiming damages. 
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With respect to Customer, to the extent a Customer can demonstrate that Customer has suffered damages 
and establishes facts showing that it is likely that such damages have occurred because of the Salesforce 
Group’s breach of the Salesforce Processor BCR salesforce.com France S.A.S. shall be responsible for 
providing that the Salesforce member outside of the EU — or the third-party Sub-processor — was not 
responsible for the breach of the Salesforce Processor BCR giving rise to the damages or that no such 
breach took place. 


If salesforce.com France S.A.S. can prove that the Salesforce member outside of the EU is not responsible 
for the act leading to the damages suffered by Customer or the Data Subject, salesforce.com France S.A.S 
may discharge itself from any responsibility. 


9. Cooperation with Supervisory Authorities 

The Salesforce Group shall cooperate with Supervisory Authorities with jurisdiction over the Salesforce 
Group or competent for Customers, reply to any requests they make within a reasonable time frame and 
abide by the advice and recommendations of the relevant EU member state regarding the interpretation 
and application of the Salesforce Processor BCR. 


Upon request and subject to duties of confidentiality, the Salesforce Group shall provide relevant EU 
member state Supervisory Authorities with jurisdiction over the Salesforce Group or competent for 
Customers: (i) a copy of the Salesforce Group’s annual assessment of compliance with the Salesforce 
Processor BCR and/or other documentation reasonably requested; and (ii) the ability to conduct an onsite 
audit of the Salesforce Group’s architecture, systems and procedures relevant to the protection of Personal 
Data. 


10. Local Law Requirements 

As set forth in applicable contracts with Customers, the Salesforce Group shall comply with applicable 
law in its processing of Personal Data. Where applicable law requires a higher level of protection for 
Personal Data than provided for in the Salesforce Processor BCR, the local applicable law shall take 
precedence. 


Where the Salesforce Group reasonably believes that applicable existing or future enacted or enforceable 
law prevents it from fulfilling its obligations under the Salesforce Processor BCR or the instructions of a 
Customer, it shall promptly notify the Salesforce Group’s Privacy department in addition to affected 
Customers, the Supervisory Authority competent for the Customer and the Supervisory Authority 
competent for Salesforce. In such a case, the Salesforce Group shall use reasonable efforts to make 
available to the affected Customers a change in the Services or recommend a commercially reasonable 
change to the Customers’ configuration or use of the Services to facilitate compliance with applicable law 
without unreasonably burdening Customers. If the Salesforce Group is unable to make available such 
change within a reasonable period of time, Customers may terminate the applicable order form(s) in 
respect to only those Services which cannot be provided by the Salesforce Group in accordance with 
applicable law by providing written notice to the member of the Salesforce Group with whom the 
Customer has contracted. Such Customer shall receive a refund of any prepaid fees for the period 
following the effective date of termination for such terminated Services. 


In accordance with applicable contracts with Customers, the Salesforce Group shall communicate any 
legally binding request for disclosure of Personal Data by a law enforcement authority or state security 
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body to the impacted Customer unless the Salesforce Group is prohibited by law from providing such 
notification. 


To the extent the Salesforce Group is prohibited by law from providing such notification, the Salesforce 
Group shall: (i) review each request on a case-by-case basis; (ii) use best efforts to request that the 
confidentiality requirement be waived to enable the Salesforce Group to notify the appropriate 
Supervisory Authority competent for the Customer and the CNIL in its capacity as competent Supervisory 
Authority for the Salesforce Processor BCR; and (iii) maintain evidence of any such attempt to have a 
confidentiality requirement waived 


On an annual basis, the Salesforce Group shall provide the appropriate Supervisory Authorities competent 
for impacted Customers and the CNIL with general information about the types of legally binding 
requests for disclosure of Personal Data the Salesforce Group receives by law enforcement authorities. 


Transfers of Personal Data by the Salesforce Group to any public authority cannot be massive, 
disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic 
society. 


11. Data Protection Officer 


The Salesforce Group has appointed a data protection officer in accordance with its legal obligation for 
the Salesforce Group who can be reached at privacy@salesforce.com 


12. Salesforce Processor BCR and Applicable Law 


Where national law applicable to the Salesforce Group requires a higher level of protection for Personal 
Data than what is set out in the Salesforce Processor BCR, then that national applicable law will take 
precedence over the Salesforce Processor BCR. 


In any event the Salesforce Group shall process Personal Data in accordance with the national law 
applicable to the Salesforce Group. 


Page 16 


Salesforce Processor BCR 


Appendix A — Services to which the Salesforce Processor BCR applies 


The Salesforce Processor BCR applies to the services branded as the following: 


Accounting Subledger 

Admissions Connect 

Advertising Studio (formerly branded as Social.com and Active Audiences) 

Audience Studio and Data Studio (formerly branded as Krux or Salesforce DMP) 
Automotive Cloud 

Body Copy Generation in Einstein Copy Insights and Content Builder 

B2B Commerce and B2B Commerce on Lightning Experience (formerly branded as CloudCraze) 
B2C Commerce (formerly branded as Commerce Cloud or Demandware) 

Chatter 

Consumer Goods Cloud 

Customer Data Cloud (formerly branded as Salesforce Data Cloud) 

Customer Data Platform (formerly branded as CDP formerly branded as Customer 360 
Audiences) 

Customer 360 Data Manager 

Data Cloud Einstein Lookalikes 

Datorama 

Datorama Reports for Marketing Cloud 

Digital Process Automation 

D2C Commerce (formerly branded as Salesforce Commerce for B2C and B2B2C Commerce) 
Education Cloud 

Einstein Bots 

Einstein Conversation Insights 

Einstein Conversation Mining 

Einstein Copy Insights 

Einstein Discovery Classic (formerly branded as Einstein Discovery and BeyondCore) 
Einstein Engagement Scoring 

Einstein for Platform 

Einstein for Sales 

Einstein for Service 

Einstein GPT for Commerce 

Einstein GPT for Sales 

Einstein GPT for Service 

Einstein Prediction Builder 

Einstein Relationship Insights 

Einstein Vision and Language 

Einstein Vision for Social Studio 

Emergency Program Management 

Employee Productivity 

Enablement 

Enhanced Messaging 

Evergage (services branded or sold as Evergage, Data Science Workbench, and Data Warehouse) 
ExactTarget 

Experience Cloud (formerly branded as Community Cloud) 

Feedback Management 
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Financial Services Cloud 

foundationConnect 

Government Cloud Plus 

Grants Management 

Headless Browser Service 

Health Cloud 

Heroku 

High Velocity Sales 

Intelligent Form Reader (IFR) 

Interaction Studio 

IoT Cloud 

IoT Explorer 

Lightning Platform (including Force.com) 
LiveMessage 

Loyalty Management 

Manufacturing Cloud 

Marketing Cloud Einstein (formerly branded as Predictive Intelligence) 
Marketing Cloud for Nonprofits 

Messaging 

Messaging for In-App and Web 

Microsoft Teams Integration 

MuleSoft 

Net Zero Cloud (formerly branded as Sustainability Cloud) 
Non-Profit Cloud 

Nonprofit Cloud Case Management 

Non-Profit Cloud for Grantmaking 

Order Management 

Pardot and Pardot Einstein 

Privacy Center 

Public Sector Solutions 

Referral Marketing 

Revenue Lifecycle Management 

Safety Cloud 

Sales Cloud and Sales Cloud Einstein 

Sales Enablement (formerly branded as myTrailhead) 
Salesforce Anywhere (formerly branded as Quip) 
Salesforce Connect 

Salesforce Contracts 


Salesforce CPQ and Salesforce Billing (together formerly branded as Salesforce Quote to Cash) 


Salesforce Inbox 

Salesforce Maps (Map Anything) 
Salesforce Order Management 

Salesforce Private Connect 

Salesforce Sales Planning 

Salesforce Slack Integration Proxy 
Salesforce Web3 

Salesforce.org Elevate 

Salesforce.org Insights Platform: Data Integrity 
Service Cloud and Service Cloud Einstein 
Service Cloud Voice 
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Shift Management 

Site.com 

Slack (paid subscriptions and associated workspaces) 

Social Studio 

Student Success Hub (including the former Salesforce Advisor Link). 

Subject Line Generation in Einstein Copy Insights and Content Builder 

Subscription Management 

Tableau CRM (formerly branded as Einstein Analytics, Analytics Cloud or Wave Analytics) 
Tableau Online 

Vlocity Services comprising Vlocity Communications, Vlocity Media and Entertainment, Vlocity 
Energy & Utilities, Vlocity Insurance, Vlocity Health, Vlocity Public Sector, Communications 
Cloud, Energy & Utility Cloud, and Media Cloud (all formerly branded as Vlocity Managed 
Packages) 

WDC 

Workplace Command Center 

Workforce Engagement Management (WEM) 
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